[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Email Spoofing



We are using Suse 9.0 Professional. I am getting email that is claiming to be from my domain and the Posfix logs confirm it is from an outside IP. After searching the logs, I figured out where the connection initiated, and then the regular smtp traffic proceeded with the spoofed email address (user@xxxxxxxxxxxx) to my real users email address realusers@xxxxxxxxxxxx). The unique identifiers helped me correspond the traffic. There were two other email sessions that based on their unique identifier did not have the full smtp process. For example, this is all that is entered in the logs for the unique process. I usually see a connect and disconnect process before and after this and the random character user does not exisit! BTW, this is a mail gateway for Exchange.

Any ideas??

Jul 20 11:54:59 gateway postfix/smtp[10247]: 649E6AD30: to=<user1@xxxxxxxxxxxx>, relay=10.0.0.5[10.0.0.5], delay=14, status=sent (250 2.6.0 <hxdgpusiesezuvbkmcc@xxxxxxxxxxxx> Queued mail for delivery)

Jul 20 11:55:10 gateway postfix/smtp[10247]: 8BFB2AD43: to=<user2@xxxxxxxxxxxx>, relay=10.0.0.5[10.0.0.5], delay=25, status=sent (250 2.6.0 <oityeuiuogzvyivawrs@xxxxxxxxxxxx> Queued mail for delivery)

Thanks,

Eric

--
______________________________________________________________________

Eric Kahklen, MS
530 4th Ave. W. Seattle, WA



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here